Packet traversal (forwarding) confusion

Ze'ev Maor zeevm@siglab.technion.ac.il
Mon, 9 Jul 2001 10:57:23 +0300 (IDT) 

The point you might be missing is that leaving the ipv4 protocol stack
through the OUT pathway (no to be mistaken with the OUTPUT pathway, which
is how packets generated locally enter the protocol stack), doesn't mean
leaving the host, the packet then (if forwarded to an address which is
also associated with the same host) can reenter the protocol stack.
If we're talking about forwarding from eth0 to eth1 and then out of the
machine the packet enters the ipv4 protocol stack (from here-on ipv4) from
what we'll call the IN pathway . After routing, if
routing decides it should be forwarded, it traverses the FORWARD hook,
then the POSTROUTING hook (which has no rules in it if you're only
manipulating the filter table), and then it
leaves ipv4. It then reenters it through the IN pathway, only this time
coming from the eth1 interface, it goes though routing again, if it is
destined for forwarding (say out of the machine into the internet or
into your
private network), it will traverse the FORWARD and POSTROUTING hooks as
before and leave through the OUT pathway.

Hope this clears things up.


  On Mon, 9 Jul
2001, Shane Chen wrote:

> Okay,
>
> There's actually something that's still unclear to me.
>
> If I forward a packet with a rule like:
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> >From what I understand, when a packet is forwarded, it doesn't traverse
> the INPUT chain.  That is that it goes directly from IN to PREROUTING to
> FORWARD to POSTROUTING to OUT.
>
> So, if a packet arrives on interface eth0, and is forwarded without
> traversing INPUT (and through the localhost), how does it get to the OUT
> of eth1?
>
> I think I'm probably just not comprehending something simple.
>
> Shane
>

 ----------------------------------------------------------------------------
| Ze'ev Maor  	  	       | "We all have a little Daemon inside...      |
| zeevm@siglab.technion.ac.il  |  ...Craving to come out and become a kernel"|
 ----------------------------------------------------------------------------